SAP Works with Hanko to Develop Passwordless Logon for SAP Universal ID

By Fred Donovan, Senior Editor, SAPinsider

Enterprises face an explosion of cyberattacks and data breaches, many of them enabled by weak passwords. Once attackers compromise an employee’s account, they can gain access to sensitive corporate data as well as the internal network. 

Data breaches can cost companies millions of dollars in direct and indirect costs. According to the Cost of a Data Breach Report 2020, the average cost of a data breach was $3.86 million last year. Calculation of the cost includes value of lost data, remediation and response effort, ransom payments, regulatory fines, lawsuits, lost customers, and brand damage.   

At the same time, imposing robust security restrictions on employees to avoid account compromise could create barriers to usability and productivity. 

To address these dual risks, SAP decided to team with German startup Hanko to add biometrics-based passwordless security protection to its recently launched SAP Universal ID, which provides SAP users with a unified account that enables access to all SAP products and services in one place. 

“SAP Universal ID puts the user in control by linking all of the existing company associations and being able to switch between them as needed,” explains Michael Braun, IT Chief Product Owner of Identity and User Management at SAP.   

“Companies are looking for the most secure way to protect user accounts without impacting the user experience,” he adds. 

SAP Universal ID offers one set of log-in credentials for SAP customers. But this convenience also means that if the password is compromised, the attacker may gain access to multiple SAP services and accounts at once.  

“If you are putting all of your eggs in one basket, you want to make sure that the basket is really secure,” says Felix Magedanz, founder and CEO of Hanko. “This is a perfect opportunity to deploy passwordless technology that is also multifactor capable,” he adds. 

Hanko was invited to participate in a three-month startup accelerator program at SAP.iO Foundry Berlin. In a joint proof of concept, the SAP team tested Hanko’s passwordless authentication technology with Touch ID and Windows Hello for SAP Universal ID. 

Magedanz observes that legacy multifactor authentication (MFA) methods still rely on a password as the first factor and a second factor that uses another device to send a code that needs to be typed into the first device. “The legacy methods are not optimal” in terms of security and usability, he says. 

Advances in Biometrics 

Until recently, biometric authentication could only be used in native apps on mobile devices. This changed with a new web standard called “WebAuthn” that makes it possible to use biometrics on websites. This standard, adopted by the World Wide Web Consortium (W3C), is built-in to all modern browsers.  

W3C worked with the Fast IDentity Online (FIDO) Alliance to develop its WebAuthn standard, which was launched in 2016. 

The FIDO Alliance is an open industry association founded in 2013 to develop and promote authentication standards that reduce reliance on passwords. FIDO supports security keys, biometrics, trusted platform modules, embedded secure elements, and smart cards. The FIDO passwordless security keys can be connected to a device using a USB, near-filed communication (NFC), or Bluetooth to authenticate a user, Magedanz relates. 

With its managed cloud application programming interface (API), Hanko enabled SAP developers to access WebAuthn infrastructure from the beginning of the project. Hanko accompanied the SAP team, providing demo code and client and server software development kits. To create an optimal user experience (UX), Hanko also supported the UX team in the development and implementation of the new user flows for the passwordless authentication methods. 

SAP Tests Passwordless Logon 

SAP is still testing the passwordless logon for its SAP Universal ID, relates Braun. “Working together with Hanko, who provided us with the complete passwordless infrastructure, was a win for us. We could concentrate on integrated the solution and reusing the infrastructure that was already there,” he says.  

Braun adds that the two companies finished the implementation in one-third of the estimated time, saving time and money. 

Braun says that SAP Universal ID has been enabled for most of its customer-facing sites. SAP Universal ID supports more than 500 SAP sites including SAP.com, SAP for Me, SAP Community, SAP ONE Support Launchpad, SAP Support Portal, and SAP PartnerEdge. 

SAP Universal ID works on Firefox, Chrome, Safari, and Edge, as well as the latest versions of iOS and Android for smartphones and tablets.  

SAP plans to roll out additional capabilities beyond passwordless logon, including a broader MFA capability to improve account security. The company also wants to support customer identity providers so that federated single sign-on capabilities can be deployed across the SAP landscape.  

Watch a short video of the interview.